EP2194482A1 - Authentication intermediary server and programs therefor - Google Patents

Authentication intermediary server and programs therefor Download PDF

Info

Publication number
EP2194482A1
EP2194482A1 EP09014702A EP09014702A EP2194482A1 EP 2194482 A1 EP2194482 A1 EP 2194482A1 EP 09014702 A EP09014702 A EP 09014702A EP 09014702 A EP09014702 A EP 09014702A EP 2194482 A1 EP2194482 A1 EP 2194482A1
Authority
EP
European Patent Office
Prior art keywords
authentication
server
information
user
service providing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP09014702A
Other languages
German (de)
English (en)
French (fr)
Inventor
Dan Yamamoto
Tadashi Kaji
Takahiro Fujishiro
Shinichi Irube
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hitachi Ltd
Original Assignee
Hitachi Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hitachi Ltd filed Critical Hitachi Ltd
Publication of EP2194482A1 publication Critical patent/EP2194482A1/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity

Definitions

  • the present invention relates to a technique of selecting an authentication server to which a terminal device makes a request for authentication of its user when the terminal device is going to receive provision of service from a service providing server.
  • OpenID Authentication described in Document 3, it is possible to designate an authentication server to use for authentication for a user by presenting a URL called an OpenID to a service providing server.
  • an authentication server should be selected case by case among a plurality of authentication servers, it is necessary to prepare an OpenID for every authentication server to use, and this reduces the user's convenience.
  • the present invention provides a technique that can dynamically change authentication servers in consideration of user's situation, kinds of services used by a user, and user's convenience.
  • an authentication server that satisfies usage conditions previously set by a user is selected.
  • the disclosed system provides an authentication intermediary server that selects an authentication server for authenticating a user of a terminal device when the terminal device is going to receive service from a service providing server
  • the authentication intermediary server comprises a control part and a storage part that stores service providing server request information that specifies a service providing server ID and specifies a requested condition requested in authentication by the service providing server ID
  • the control part performs: processing, in which, when an information acquisition request specifying a service providing server ID is received from the service providing server, a requested condition corresponding to the service providing server ID specified by the information acquisition request is acquired from the service providing server request information, and the authentication server satisfying the acquired requested condition is selected; and processing, in which information specifying the selected authentication server is notified to the service providing server.
  • an authentication server dynamically in consideration of a user's situation, a kind of service used by the user, and user's convenience.
  • Fig. 1 is a schematic diagram showing an authentication system 10 as one embodiment of the present invention.
  • the authentication system 10 comprises a terminal device 1, a plurality of service providing servers 2A, 2B, ... (hereinafter, simply referred to as a service providing server 2 if it is not needed to distinguish each), a plurality of authentication servers 3A, 3B, ... (hereinafter, simply referred to as an authentication server 3 if it is not needed to distinguish each), an authentication intermediary server 4, and a presence server 5. These can send and receive information to and from one another via a network 6.
  • Fig. 2 is a schematic diagram showing an example of the terminal device 1.
  • the terminal device 1 comprises a storage part 101, a control part 105, an input part 115, an output part 116, a transmitting/receiving part 117, and a voice input/output part 118.
  • the storage part 101 comprises a session information storage area 102 and a presence information storage area 103.
  • the session information storage area 102 stores session information that specifies a session established with another apparatus through the network 6.
  • a session means a sequence of data communications performed between apparatuses.
  • the session information storage area 102 stores a session information table 102a as shown in Fig. 3 (a schematic diagram showing the session information table 102a).
  • the session information table 102a has a destination ID field 102b and a session ID field 102c.
  • the destination ID field 102b stores information specifying a destination apparatus.
  • a service providing server ID or an authentication server ID (which is identification information for uniquely identifying each apparatus, i.e. a service providing server 2 or an authentication server 3) is stored.
  • a URL such as "http://www.hitachi.com/" may be used as a value of the destination ID field.
  • the session ID field 102c stores information specifying a session with the apparatus specified in the destination ID field 102b.
  • a session ID (which is identification information uniquely assigned to each session) is stored.
  • a character string that has been delivered as a Set-Cookie header value in an HTTP response from the Web server may be stored as a value of the session ID field.
  • the presence information storage area 103 stores presence information of a user who uses the terminal device 1.
  • the control part 105 comprises a service using part 106, a service request generation part 107, a service communication part 108, an authentication processing part 109, a session management part 110, a presence information processing part 111, a voice communication part 112 and a user policy processing part 113.
  • the service using part 106 performs processing of providing an input/output interface for the user to use a service through the input part 115 and the output part 116, and receiving input of necessary information.
  • the service request generation part 107 performs processing of generating a message (a service request message) for requesting a service of a service providing server 2 through the input part 115 and the output part 116, on the basis of information whose input has been received by the service using part 106.
  • the service communication part 108 controls processing of transmitting and receiving information through the transmitting/receiving part 117 and the network 6.
  • the service communication part 108 is implemented by a protocol stack that enables HTTP communication for using Web sites and Web applications.
  • the service communication part 108 performs transfer processing of a message sent or received between the authentication intermediary server 4 and a service providing server 2.
  • the authentication processing part 109 performs processing of calculating information required for an input or output request to the user and for authentication when the authentication is performed by an authentication server 3. For example, in the case where an authentication scheme performed by an authentication server 3 is the TLS client authentication, the authentication processing part 109 performs processing of: requesting the user to input a Personal Identification Number (PIN), through the output part 116 if necessary; acquiring the user's secret key stored in a portable storage medium such as a smart card or the storage part 101; combining information sent from the authentication server 3 to calculate information for proving the user's identity; and transmitting the calculated information to the authentication server 3 through the transmitting/receiving part 117.
  • PIN Personal Identification Number
  • the session management part 110 performs processing of managing a session established with another apparatus by the terminal device 1. For example, when the terminal device 1 establishes a session with a service providing server 2 or an authentication server 3, the session management part 110 generates a new record in the session information table 102a, stores the ID of the coupled apparatus and the session ID in the generated record, and at the end (i.e. disconnection) of the established session, deletes the record corresponding to the session.
  • the presence information processing part 111 performs processing of managing presence information of the user of the terminal device 1. For example, the presence information processing part 111 performs processing of receiving input of information specifying whether the user is at "home” or at "office” from the user of the terminal device 1 through the input/output part 115, and storing the inputted information specifying "home” or "office” in the presence information storage area 103 of the storage part 101.
  • the presence information processing part 111 stores information specifying that the user of the terminal device 1 is performing voice communication (i.e. information specifying "talking"), in the presence information storage area 103 of the storage part 101.
  • the presence information processing part 111 controls processing of transmitting the presence information stored in the presence information storage area 103 through the transmitting/receiving part 117 and the network 6.
  • the voice communication part 112 performs call control according to Session Initiation Protocol (SIP) or the like, and controls voice communication according to Real Time Protocol (RTP) or the like.
  • SIP Session Initiation Protocol
  • RTP Real Time Protocol
  • control part 204 comprises a service providing part 205, a session management part 206, an authentication server information acquisition part 207, an authentication request processing part 208, and a service communication part 209.
  • the service providing part 205 performs processing of providing a service requested by the terminal device 1 to the terminal device 1.
  • the session management part 206 performs processing of managing a session established with another apparatus by the service providing server 2. For example, when the service providing server 2 establishes a session with the terminal device 1, the session management part 206 generates a new record in the session information table 202a, stores the ID of the destination apparatus and the session ID in the generated record, and at the end of the established session, deletes the record corresponding to the session.
  • the authentication server information acquisition part 207 performs processing of acquiring authentication server information, which specifies an authentication server 3 to perform authentication of the user of the terminal device 1, from the authentication intermediary server 4 directly through the transmitting/receiving part 213 and the network 6 or indirectly via the terminal device 1.
  • the service providing server 2 can directly make a request to the authentication intermediary server 4 for authentication server information by using HTTP or HTTPS, to acquire the authentication server information.
  • the service providing server 2 may indirectly make a request to the authentication intermediary server 4 for authentication server information via the terminal device 1 by using an HTTP redirect according to Identity Provider Discovery Profile described in Document 2, to acquire the authentication server information.
  • the authentication request processing part 208 performs processing of transmitting, indirectly via the terminal device 1, an authentication request message for requesting authentication of the user to the authentication server 3 designated by authentication server information, when the authentication server information is received from the authentication intermediary server 4. For example, if the terminal device 1, the service providing server 2, and the authentication server 3 can communicate by using HTTP or HTTPS, then it is possible to transmit indirectly an authentication request message by using an HTTP redirect via the terminal device 1.
  • the service communication part 209 performs processing of transmitting and receiving information required for providing a service to the terminal device 1, through the transmitting/receiving part 213 and the network 6.
  • the service communication part 209 may be implemented as a protocol stack that enables HTTP communication for using Web sites and Web applications.
  • the input part 211 receives input of information.
  • the output part 212 outputs information.
  • the transmitting/receiving part 213 transmits and receives information via the network 6.
  • the above-described service providing server 2 can be implemented, for example, by a computer 9 as shown in Fig. 4 .
  • the storage part 201 can be implemented when the CPU 901 uses the memory 902 or the external storage 903.
  • the control part 204 can be implemented when a prescribed program stored in the external storage 903 is loaded into the memory 902 and executed by the CPU 901.
  • the input part 211 can be implemented when the CPU 901 uses the input unit 906.
  • the output part 212 can be implemented when the CPU 901 uses the output unit 907.
  • the transmitting/receiving part 213 can be implemented when the CPU 901 uses the transmitting/receiving unit 908.
  • the prescribed program may be downloaded from a storage medium 904 through the reader/writer 905 or from a network through the transmitting/receiving unit 908 to the external storage 903, and then loaded into the memory 902 and executed by the CPU 901. Or, the prescribed program may be directly loaded into the memory 902 from a storage medium 904 through the reader/writer 905 or from a network through the transmitting/receiving unit 908, and executed by the CPU 901.
  • FIG. 7 is a schematic diagram showing an example of an authentication server 3.
  • an authentication server 3 comprises a storage part 301, a control part 305, an input part 312, an output part 313, and a transmitting/receiving part 314.
  • the session information storage area 302 stores session information that specifies a session with another apparatus, which has been established by the authentication server 3 through the network 6.
  • a session information table 302a as shown in Fig. 8 (a schematic diagram showing the session information table 302a) is stored in the session information storage area 302.
  • the destination ID field 302b stores information specifying a destination apparatus.
  • information specifying a destination apparatus identification information for uniquely identifying each apparatus (terminal device 1) is stored.
  • terminal device 1 the terminal device 1
  • the user ID of the user using the terminal device 1 may be used.
  • the session ID field 302c stores information specifying a session with the apparatus specified in the destination ID field 302b.
  • a session ID (which is identification information for uniquely assigned to each session) is stored.
  • a character string delivered as a Cookie header value in an HTTP request from the Web client may be stored as a value of the session ID.
  • the user attribute information table 303a has a user ID field 303b and an attribute field 303c.
  • the attribute field 303c stores information specifying the attribute of the user specified in the user ID field 303b.
  • the attribute field 303c stores information corresponding to the authentication scheme performed in the authentication server 3 out of pieces of information specifying the user's name, the user's mail address, the user's address, the user's digital certificate and the like.
  • the user attribute information is transmitted to the service providing server 2 within the limits of the policy set by the user, when a request is received from the service providing server 2. If necessary for authentication, the user attribute storage area 303 can store the password of the user.
  • the authentication execution part 307 performs processing required for authentication of a user.
  • the authentication execution part 307 requests information for proving user's identity from the terminal device 1 through the transmitting/receiving part 314 and the network 6.
  • the authentication execution part 307 can perform user authentication by transmitting a random number sequence to the terminal device 1 and verifying whether information returned from the terminal device 1 is calculated with the secret key held by the terminal device 1. This verification of the returned information is performed by using the digital certificate of the terminal device 1 stored in the user attribute storage area 303.
  • the authentication result generation part 308 generates authentication result information that specifies the result of user authentication performed by the authentication execution part 307.
  • an XML document called SAML Assertion described in Document 1 can be used.
  • the session management part 309 performs processing of managing a session established with another apparatus by the authentication server 3. For example, when the authentication server 3 establishes a session with the terminal device 1, the session management part 309 generates a new record in the information table 302a, stores the ID of the destination apparatus and a session ID in the new record, and at the end of the established session, deletes the record corresponding to the session.
  • the user attribute management part 310 On receiving a request from the terminal device 1, the user attribute management part 310 performs processing of generating, updating, or deleting user attribute information stored in the user attribute storage area 303.
  • the user attribute management part 310 performs processing of transmitting the requested user attribute information to the service providing server 2 within the limits of the policy set by the user.
  • the input part 312 receives input of information.
  • the output part 313 outputs information.
  • the above-described authentication server 3 can be implemented, for example, by a computer 9 as shown in Fig. 4 .
  • the storage part 301 can be implemented when the CPU 901 uses the memory 902 or the external storage 903.
  • the control part 305 can be implemented when a prescribed program stored in the external storage 903 is loaded into the memory 902 and executed by the CPU 901.
  • the input part 312 can be implemented when the CPU uses the input unit 906.
  • the output part 313 can be implemented when the CPU 901 uses the output unit 907.
  • the transmitting/receiving part 314 can be implemented when the CPU 901 uses the transmitting/receiving unit 908.
  • the prescribed program may be downloaded from a storage medium 904 through the reader/writer 905 or from a network through the transmitting/receiving unit 908 to the external storage 903, and then loaded into the memory 902 and executed by the CPU 901. Or, the prescribed program may be directly loaded into the memory 902 from a storage medium 904 through the reader/writer 905 or from a network through the transmitting/receiving unit 908, and executed by the CPU 901.
  • Fig. 10 is a schematic diagram showing an example of configuration of the authentication intermediary server 4.
  • the authentication intermediary server 4 comprises a storage part 401, a control part 411, an input part 418, an output part 419, and a transmitting/receiving part 420.
  • the storage part 401 comprises a user policy information storage area 402, an authentication server information storage area 403, a service providing server request information storage area 404, an authentication level information storage area 405, a provided authentication strength information storage area 406, an authentication level definition information storage area 407, an ID information storage area 408, and an attribute information storage area 409.
  • the user policy information storage area 402 stores user policy information for each user, which specifies a selection guideline for selecting an authentication server 3.
  • a user policy information table 402a as shown in Fig. 11 (a schematic diagram showing the user policy information table 402a) is stored in the user policy information storage area 402.
  • the user policy information table 402a has a user ID field 402b, an authentication server ID field 402c, a last authentication time field 402d, a priority field 402e, a usage condition field 402f, and a service providing server ID condition field 402g.
  • the user ID field 402b stores information specifying user of the terminal device 1.
  • a user ID (which is identification information assigned uniquely to each user) is stored.
  • one user ID is associated with one or more pieces of authentication server related information in the form of a record (i.e. a line in the table).
  • Each piece of authentication server related information comprises an authentication server ID, a last authentication time, a priority, and an usage condition.
  • the authentication server ID field 402c stores information (here, an authentication server ID) specifying an authentication server 3 that can authenticate the user specified in the user ID field 402b. For example, if an authentication server 3 accepts connection according to HTTP, a URL such as "http://www.hitachi.com/" can be used as a value of the authentication server ID field 402c.
  • the last authentication time field 402d stores information (here, year-month-date and time) specifying the last time when the authentication server 3 specified in the authentication server ID field 402c was selected for authentication of the user specified in the user ID field 402b.
  • the service providing server ID field 404b stores information specifying a service providing server 2.
  • a service providing server ID which is identification information for uniquely identifying each service providing server 2 is stored.
  • the requested attribute information field 404e stores information specifying a type of user's attribute information whose disclosure the service providing server 2 specified in the service providing server ID field 404b requests from an authentication server 3.
  • the requested attribute information field 404e stores the symbol "*", it is meant that the service providing server 2 specified in the service providing server ID field 404b does not request specific attribute information from an authentication server 3.
  • the authentication level information table 405a has a user ID field 405b and a current authentication level field 405c.
  • the user ID field 405b stores information specifying a user.
  • a user ID which is identification information for uniquely identifying each user, is stored.
  • the current authentication level field 405c stores information specifying the most recent authentication level (currently-effective authentication level) of authentication that the user specified in the user ID field 405b has undergone.
  • the provided authentication strength information storage area 406 stores provided authentication strength information that specifies an authentication scheme provided by an authentication server 3 and the authentication strength of that authentication scheme.
  • a provided authentication strength information table 406a as shown in Fig. 15 (a schematic diagram showing the provided authentication strength information table 406a) is stored in the provided authentication strength information storage area 406.
  • the provided authentication strength information table 406a has an authentication server ID field 406b, a provided authentication scheme field 406c, an authentication strength field 406d, and a providing URI field 406e.
  • the authentication server ID field 406b stores information specifying an authentication server 3.
  • an authentication server ID (which is identification information for uniquely identifying each authentication server 3) is stored.
  • the provided authentication scheme field 406c stores information specifying an authentication scheme provided by the authentication server 3 specified in the authentication server ID field 406b.
  • the authentication strength field 406d stores information specifying authentication strength of authentication performed by the authentication server 3 specified in the authentication server ID field 406b according to the authentication scheme specified in the provided authentication scheme field 406c.
  • the providing URI field 406e stores information specifying a URI at which the authentication server 3 specified in the authentication server ID field 406b provides authentication according to the authentication scheme specified in the provided authentication scheme field 406c.
  • the authentication level definition information storage area 407 stores authentication level definition information that specifies a definition of authentication level.
  • an authentication level definition information table 407a as shown in Fig. 16 (a schematic diagram showing the authentication level definition information table 407a) is stored in the authentication level definition information storage area 407.
  • the authentication level field 407b stores information specifying an authentication level.
  • authentication level in the case where a service provider requests a certain authentication level and a user satisfies an authentication level of a larger figure than that of the requested level, then it is judged that the user satisfies the requested authentication level.
  • the ID information storage area 408 stores ID information that specifies a specific user ID used by a user in each service providing server 2.
  • ID information table 408a as shown in Fig. 17 (a schematic diagram showing the ID information table 408a) is stored in the ID information storage area 408.
  • the ID information table 408a has a user ID field 408b, a server ID field 408c, and a service-specific user ID field 408d.
  • the server ID field 408c stores information specifying a service providing server 2 from which the user specified in the user ID field 408b receives service.
  • a service providing server ID which is identification information for uniquely identifying each service providing server 2, is stored.
  • the attribute information storage area 409 stores attribute information that specifies attribute of a user.
  • an attribute information table 409a as shown in Fig. 18 (a schematic diagram showing the attribute information table 409a) is stored in the attribute information storage area 409.
  • the user ID field 409b stores information specifying a user.
  • a user ID which is identification information for uniquely identifying each user, is stored.
  • control part comprises an information acquisition request processing part 412, an authentication server selecting part 413, a user policy management part 414, a user information acquisition part 415, and an identity conversion part 416.
  • the received information acquisition request message does not include a user ID
  • it is possible to return a response message (for example, an HTTP response including a form tag) requesting input of a user ID to the terminal device 1 through the transmitting/receiving part 420 and the network 6, to acquire the user ID.
  • the authentication server selecting part 413 acquires the user ID and the service providing server ID from the information acquisition request processing part 412
  • the authentication server selecting part 413 acquires information corresponding to the acquired user ID and service providing server ID from the user policy information stored in the user policy information storage area 402, the authentication server information stored in the authentication server information storage area 403, and the service providing server request information stored in the service providing server request information storage area 404 of the storage part 401, and selects an authentication server 3 to be used for authentication of the user by referring to the user's presence information acquired by the below-described user information acquisition part 415.
  • the authentication server selecting part 413 transmits authentication server information specifying the selected authentication server 3 directly to the service providing server 2 or indirectly via the terminal device 1.
  • authentication server information specifying the selected authentication server 3 directly to the service providing server 2 or indirectly via the terminal device 1.
  • the authentication server information may be transmitted to the service providing server 2 indirectly via the terminal device 1 by using an HTTP redirect.
  • the user information acquisition part 415 transmits a presence information acquisition request specifying a user ID to the presence server 5 through the transmitting/receiving part 420 and the network 6, to acquire the presence information of the user corresponding to the user ID from the presence server 5. Or, if there is on the network 6 a server that manages user information similar to the presence information, the user information is acquired from that server.
  • the input part 418 receives input of information.
  • the output part 419 outputs information.
  • the above-described authentication intermediary server can be implemented, for example, by a computer 9 as shown in Fig. 4 .
  • the prescribed program may be downloaded from a storage medium 904 through the reader/writer 905 or from a network through the transmitting/receiving unit 908 to the external storage 903, and then loaded into the memory 902 and executed by the CPU 901. Or, the prescribed program may be directly loaded into the memory 902 from a storage medium 904 through the reader/writer 905 or from a network through the transmitting/receiving unit 908, and executed by the CPU 901.
  • Fig. 19 is a schematic diagram showing an example of the presence server 5.
  • the presence server 5 comprises a storage part 501, a control part 504, an input part 508, an output part 509, and a transmitting/receiving part 510.
  • the presence information storage area 502 stores presence information that specifies situation of the user of the terminal device 1.
  • a presence information table 502a as shown in Fig. 20 (a schematic diagram showing the presence information table 502a) is stored in the presence information storage area 502.
  • the user ID field 502b stores information that specifies a user.
  • a user ID which is identification information for uniquely identifying each user, is stored.
  • the presence information field 502c stores presence information that specifies situation (presence) of the user specified in the user ID field 502b.
  • the information acquisition request processing part 505 When the information acquisition request processing part 505 receives an information acquisition request message through the transmitting/receiving part 510 and the network 6 from the authentication intermediary server 4, the information acquisition request processing part 505 acquires a user ID contained in the received information acquisition request message, and searches for presence information stored in the presence information storage area 502 by using the user ID as a key. When the presence information of the user specified in the user ID is acquired as a result of the search, the information acquisition request processing part 505 returns the presence information through the transmitting/receiving part 510 and the network 6 to the authentication intermediary server 4 that has sent the information acquisition request message.
  • the information update request processing part 506 When the information update request processing part 506 receives an information update request message from the terminal device 1 through the transmitting/receiving part 510 and the network 6, the information update request processing part 506 acquires the user ID and the presence information contained in the received information update request message, and generates or update a record corresponding to the user ID in the presence information storage area 502.
  • the input part 508 receives input of information.
  • the output part 509 outputs information.
  • the transmitting/receiving part 510 transmits and receives information through the network 6.
  • the above-described presence server 5 can be implemented, for example, by a computer 9 as shown in Fig. 4 .
  • the storage part 501 can be implemented when the CPU 901 uses the memory 902 or the external storage 903.
  • the control part 504 can be implemented when a prescribed program stored in the external storage 903 is loaded into the memory 902 and executed by the CPU 901.
  • the input part 508 can be implemented when the CPU 901 uses the input unit 906.
  • the output part 509 can be implemented when the CPU 901 uses the output unit 907.
  • the transmitting/receiving part 510 can be implemented when the CPU 901 uses the transmitting/receiving unit 908.
  • the prescribed program may be downloaded from a storage medium 904 through the reader/writer 905 or from a network through the transmitting/receiving unit 908 to the external storage 903, and then loaded into the memory 902 and executed by the CPU 901. Or, the prescribed program may be directly loaded into the memory 902 from a storage medium 904 through the reader/writer 905 or from a network through the transmitting/receiving unit 908, and executed by the CPU 901.
  • Figs. 21 and 22 are sequence diagrams showing an example of processing performed when authentication is performed in the authentication system 10.
  • the present sequences show processing in each apparatus in the case where a user identified by a user ID "user001" uses the terminal device 1 requests provision of service from a service providing server 2A identified by a service providing server ID "sp001" and a service providing server 2B identified by a service providing server ID "sp002".
  • a session has not been established between the terminal device 1 and another apparatus.
  • an authentication server 3A is identified by an authentication server ID "idp001" and an authentication server 3B by an authentication server ID "idp002".
  • the service request generation part 107 of the terminal device 1 when the user of the terminal device 1 performs through the input part 115 a service request operation for receiving provision of service from the service providing server 2A, then the service request generation part 107 of the terminal device 1 generates a service request message specifying the user ID "user001" of the user of the terminal device 1, and transmits the generated service request message to the service providing server 2A through the transmitting/receiving part 117 and the network 6 (S10).
  • the service request message is described by using a GET request, a POST request, or the like of HTTP, although this example is not intended to be limitation.
  • the service communication part 209 examines whether the service request message includes session information (the present sequence is described assuming that session information is not included). When it is known that session information does not exist, the authentication server information acquisition part 207 generates an information acquisition request message in which the user ID "user001" and the service providing server ID "sp001" are specified, and transmits the generated message to the authentication intermediary server 4 through the transmitting part 213 and the network 6 via the terminal device 1 (S11, S12).
  • the information acquisition request processing part 505 acquires, from the presence information storage area 502, the presence information corresponding to the user ID (here "user001") contained in the received presence information acquisition request message, and returns a response message including the acquired presence information to the authentication intermediary server 4 (S14).
  • the presence information table 502 shown in Fig. 20 the information specifying "home” is acquired as the presence information corresponding to the user ID "user001".
  • the authentication server selecting part 413 acquires a set of pieces (i.e. records) of policy information (authentication server ID, last authentication time, priority, usage condition, service providing server ID condition) from the user policy information table 402a stored in the user policy information storage area 402, and stores the acquired set as a group of candidates for the authentication server 3 to be used in the storage part 401.
  • policy information authentication server ID, last authentication time, priority, usage condition, service providing server ID condition
  • the authentication server selecting part 413 refers to the authentication level definition table 407a, and compares the current authentication level "0" of the user identified by the user ID "user001" with the requested authentication level "2" in order to judge what authentication strength is required for satisfying the requested authentication level "2".
  • the authentication level "0" means the state that "authentication has not been performed yet”
  • the authentication level "2” means the state that "authentication is performed one time according to an authentication scheme of the authentication strength 2”.
  • the authentication server selecting part 407 selects only authentication servers 3 whose value of the service providing server ID condition includes the service providing server ID of the service providing server 2 as the source of the information acquisition request message, and deletes the others from the group of candidates.
  • the ID "sp001" of the service providing server as the source of the information acquisition request message is included in the service providing server ID condition of each record, and thus all the authentication servers 3 in the group of candidates are left as the candidates.
  • the authentication server selecting part 407 acquires authentication server information (supported authentication scheme and retained attribute information) corresponding to the authentication server IDs remaining in the group of candidates for the authentication server 3 to be used, and adds the acquired information to (i.e. associates the acquired information with) each of the group of candidates in the storage area 401.
  • the shortfall of authentication strength is "2", and "mail address” is designated as the requested attribute information.
  • the authentication servers 3 of "idp001" and “idp002” are left in the group of candidates.
  • the authentication servers 3 of "idp004" and “idp003" are deleted from the group of candidates, since the authentication strength of the former is "1" and the retained attribute information of the latter is limited to "credit card number" and does not include the requested attribute information "mail address”.
  • the authentication server selecting part 407 leaves only authentication servers 3 whose value of usage condition conforms with the user's presence information acquired in the step S14, and deletes the others from the group of candidates.
  • the information specifying "home” has been acquired as the presence information, and thus, among the group of candidates, the candidates of "idp001" and “idp002" whose usage condition conforms with "home” or "*" (which means that no usage condition is designated) are left in the group of candidates.
  • the value of the last authentication time field 402d of the user policy information table 402a stored in the user policy storage area 402 is replaced by the current time.
  • the last authentication time field of "idp002" is rewritten to the current time (for example, 2008-08-22T16:50:36).
  • the authentication server selecting part 413 acquires the providing URI of the authentication scheme (for coping with the shortfall of authentication strength) provided by the authentication server 3B selected as the candidate, from the providing URI field 406e of the provided authentication strength information table 406a stored in the provided authentication strength information storage area 406. Then, the authentication server selecting part 413 generates a response message (corresponding to the information acquisition request message) that contains information specifying the acquired providing URI, and transmits the message to the service providing server 2A indirectly via the terminal device 1 (S16, S17).
  • the providing URI "https://idp002/" of the digital certificate type authentication scheme provided by the authentication server ID "idp002" is transmitted to the service providing server 2A indirectly via the terminal device 1.
  • the authentication server information acquisition part 207 acquires the providing URI from the received response message, and the authentication request processing part 208 transmits an authentication request message to the providing URI via the terminal device 1 (S 18, S 19).
  • the authentication execution part 307 performs authentication processing between the authentication server 3B and the terminal device 1 used by the user (S20).
  • the authentication server 3 identified by the authentication server ID "idp002" supports the digital certificate type authentication scheme, and thus the authentication execution part 307 requests a digital certificate of the user from the terminal device 1 through the transmitting/receiving part 314 and the network 6, to acquire the digital certificate.
  • the authentication execution part 307 examines the validity of the acquired digital certificate (here, description will be given assuming that the digital certificate is valid), and the authentication result generation part 308 generates an authentication result message indicating that the user has succeeded in the authentication, and transmits the message to the service providing server 2A indirectly via the terminal device 1 (S21, S22).
  • the authentication request processing part 208 acquires information specifying the authentication result from the received authentication result message, and examines the validity of the authentication result (S23).
  • the authentication server information acquisition part 207 When the user's validity is ascertained as a result of verification of the authentication result, the authentication server information acquisition part 207 generates an information acquisition request message notifying that authentication according to the authentication scheme provided by the providing URI has been successful, and transmits the generated message to the authentication intermediary server 4 through the transmitting/receiving part 213 and the network 6 via the terminal device 1 (S24, S25).
  • the authentication server selecting part 413 judges that additional authentication is not necessary.
  • the authentication server selecting part 413 generates a response message that includes the user ID "user001” but not a providing URI, and transmits the generated response message to the service providing server 2A through the transmitting/receiving part 420 and the network 6 and via the terminal device 1 (S27, S28).
  • the ID information i.e. the service-specific user ID for the service providing server 2A
  • the attribute information corresponding to the requested attribute information requested by the service providing server 2A
  • the authentication request processing part 208 acquires the user ID from the response message.
  • the session management part 206 generates a new session ID, and stores a pair of the user ID and the session ID in the session information table 202a stored in the session information storage area 202.
  • the service providing part 205 provides the requested service to the terminal device 1 (S29).
  • the service providing server 2A can use the ID information and the attribute information received in the steps S27 and S28. For example, the following usage can be considered. That is to say, these pieces of information may be used in login processing and verification processing necessary for the service provided by the service providing server 2A. Or, the credit card number contained in the attribute information may be used for payment for an article purchased via the service providing server 2A. Or, the mail address contained in the attribute information may be used for providing information from the service providing server 2A.
  • Fig. 22 shows a sequence in the case where the user of the terminal device 1 receives the service from the service providing server 2B.
  • the service request generation part 107 of the terminal device 1 when the user of the terminal device 1 performs a service request operation through the input part 115 of the terminal device 1 for receiving the service from the service providing server 2B, the service request generation part 107 of the terminal device 1 generates a service request message specifying the user ID "user001" of the user of the terminal device 1, and transmits the generated service request message to the service providing server 2B through the transmitting/receiving part 117 and the network 6 (S30).
  • the authentication intermediary server 4 When the authentication intermediary server 4 receives the information acquisition request message through the transmitting/receiving part 420 and the network 6, then the information acquisition request processing part 412 acquires the user ID and the service providing server ID contained in the received message, and proceeds to processing of selecting candidates for the authentication server 3 to be used.
  • “user001” is acquired as the user ID
  • "sp002" as the service providing server ID.
  • the user information acquisition part 415 generates a presence information acquisition request message specifying the user ID acquired by the information acquisition request processing part 412, and transmits the generated presence information acquisition request message to the presence server 5 through the transmitting/receiving part 420 and the network 6 (S32).
  • the information acquisition request processing part 505 acquires from the presence information storage area 502 the presence information corresponding to the user ID (here, "user001") included in the received presence information acquisition request message, and returns a response message including the acquired presence information to the authentication intermediary server 4 (S33).
  • the presence information table 502 shown in Fig. 20 information specifying "home” is acquired as the presence information corresponding to the user ID "user001".
  • the authentication server selecting part 413 acquires a set of pieces (i.e. records) of policy information (authentication server ID, last authentication time, priority, usage condition, service providing server ID condition) from the user policy information table 402a stored in the user policy information storage area 402, and stores the acquired set as a group of candidates for the authentication server 3 to be used in the storage part 401.
  • policy information authentication server ID, last authentication time, priority, usage condition, service providing server ID condition
  • the authentication server selecting part 413 acquires service providing server request information (cooperative authentication server ID, requested authentication level and requested attribute information) from the service providing server request information table 404a stored in the service providing server request information storage area 404.
  • service providing server request information table 404a shown in Fig. 12
  • the information stored in the second record from the top, for which the cooperative authentication server ID is "*”, the requested authentication level is "3" and the requested attribute information is "*” is acquired as the service providing server request information corresponding to the service providing server ID "sp002".
  • the authentication server selecting part 413 acquires the most recent (i.e. current) authentication level corresponding to the user ID "user001" from the authentication level information table 405a stored in the authentication level information storage area 405.
  • the user identified by the user ID "user001” has been authenticated according to the digital certificate type authentication scheme of "idp002" in the processing shown in Fig. 21 , and thus the current authentication level is "2".
  • the authentication server selecting part 413 refers to the authentication level definition table 407a, and compares the current authentication level "2" of the user identified by the user ID "user001” with the requested authentication level "4" in order to judge what authentication strength is required for satisfying the requested authentication level "4".
  • the authentication level "2" means the state that "authentication is performed one time according to an authentication scheme of the authentication strength 2
  • the authentication level "4" means the state that "authentication is performed according to an authentication scheme of the authentication strength "1” and an authentication scheme of the authentication strength "2” each one or more times”.
  • the authentication server selecting part 407 performs processing of narrowing down the candidates for the authentication server 3 to be used.
  • the authentication server selecting part 407 selects authentication servers that has an authentication server ID coincident with the cooperative authentication server ID contained in the service providing server request information acquired from the service providing server request information table 404a by using the service providing server ID "sp002" as a key.
  • the value of the cooperative authentication server ID for the service providing server "sp002" is "*", and thus all the authentication servers 3 in the group of candidates for the authentication server 3 to be used are left as the candidates.
  • the authentication server selecting part 407 selects only authentication servers 3 whose value of the service providing server ID condition includes the service providing server ID of the service providing server 2 as the source of the information acquisition request message, and deletes the others from the group of candidates.
  • the ID "sp002" of the service providing server as the source of the information acquisition request message is included in the service providing server ID condition of each record except for the record of "idp003", and thus the authentication servers of "idp001", “idp002" and "idp004" are left in the candidates. This indicates that the user "user001" does not want to use the authentication server "idp003" in using the service of the service providing server "sp002".
  • the authentication server selecting part 407 selects only authentication servers 3 for which the authentication strength conforms with the shortfall of authentication strength judged as described above and the retained attribute information conforms with the requested attribute information from the authentication strength information table 406a stored in the authentication strength information storage area 406.
  • the shortfall of authentication strength is "1", and "*" is designated as the requested attribute information.
  • the authentication servers complying with these conditions in the authentication strength information table 406a and the authentication server information table 403a, the authentication servers "idp001" and “idp004" are left in the group of candidates.
  • the authentication server "idp002" is deleted from the group of candidates, since its authentication strength is "2".
  • the authentication server selecting part 407 leaves only authentication servers 3 whose value of usage condition conforms with the user's presence information acquired in the step S33, and deletes the others from the group of candidates.
  • the information specifying "home” has been acquired as the presence information, and thus, among the group of candidates, the candidate "idp001" whose usage condition conforms with "home” or "*" (which means that no usage condition is designated) is left in the group of candidates.
  • the authentication server selecting part 407 leaves the candidates of the highest priority among the group of candidates, and deletes the others from the group of candidates.
  • the authentication server "idp001" remains as the candidate, and thus narrowing down of the group of candidates is not performed.
  • the value of the last authentication time field 402d of the user policy information table 402a stored in the user policy storage area 402 is replaced by the current time.
  • the last authentication time field of "idp001" is rewritten to the current time.
  • the authentication execution part 307 performs authentication processing between the authentication server 3A and the terminal device 1 used by the user (S38).
  • the authentication execution part 307 requests the user ID and the password from the terminal device 1, and acquires them through the transmitting/receiving part 314 and the network 6.
  • the authentication execution part 307 searches the user attribute information table 303a stored in the user attribute information storage area 303, in order to examine the validity of the acquired user ID and the password based on whether a password stored in the corresponding attribute field 303c is equivalent to the acquired password (here, description will be given assuming that the user ID and the password are valid). Then, the authentication result generation part 308 generates an authentication result message indicating that the user has succeeded in the authentication, and transmits the message to the service providing server 2B indirectly via the terminal device 1 (S39, S40).
  • the authentication request processing part 208 acquires the user ID from the response message.
  • the session management part 206 generates a new session ID, and stores a pair of the user ID and the session ID in the session information table 202a stored in the session information storage area 202.
  • the service providing part 205 provides the requested service to the terminal device 1 (S45).
  • the service providing server 2B can use the ID information and the attribute information received in the step S44.
  • Fig. 23 is a flowchart showing processing in the service providing server 2.
  • the session management part 206 examines whether the received service request message includes a session ID (S51). If a session ID is included (Yes in S51), the processing proceeds to the step S52. If a session ID is not included (No in S51), the processing proceeds to the step S53.
  • the session management part 205 examines whether the session information table 202a stored in the session information storage area 202 has a record corresponding to the session ID ascertained in the step S51. If such a record exists (Yes in S52), the processing proceeds to the step S65. If such a record does not exist (No in S52), the processing proceeds to the step S53.
  • the session management part 206 judges that the session corresponding to the acquired session ID is valid, and the service providing part 204 provides the service to the terminal device 1 as the source of the service request message.
  • the session management part 206 judges that the session is invalid, and the authentication server information acquisition part 207 generates an information acquisition message specifying the user ID, which is included in the service request message received in the step S50, as well as the service providing server ID of the its own apparatus.
  • the authentication server information acquisition part 207 transmits the generated information acquisition message to the authentication intermediary server 4 (S54), and awaits a response (S55).
  • the authentication server information acquisition part 207 examines whether the received response message includes a providing URI or not (S56). If the received response message includes a providing URI (Yes in S56), the processing proceeds to the step S57. If the received response message does not include a providing URI (No in S56), the processing proceeds to the step S63.
  • the authentication request processing part 208 judges that further authentication is needed, and thus transmits via the terminal device 1 an authentication request message to the authentication server 3 specified by the providing URI ascertained in the step S56 (S57), and awaits a response (S58).
  • the authentication request processing part 208 acquires information specifying an authentication result from the received response message (S59) and examines the validity of the authentication result (S60).
  • an information acquisition message which includes the providing URI ascertained in the step S56, information meaning success of authentication, and the user's attribute information included in the authentication result acquired in the step S59, is generated in order to notify the authentication intermediary server 4 that the user's validity has been ascertained (the step S61). Then, the processing returns to the step S54, to repeat the processing.
  • the authentication server information acquisition part 207 examines whether the response message received in the step S55 is an error message or not (S63). If the response message received in the step S55 is an error message (Yes in S63), then the processing is ended without providing the service to the terminal device 1. If the response message received in the step S55 is not an error message (No in S63), the processing proceeds to the step S64.
  • the authentication server information acquisition part 207 judges that further authentication is not necessary.
  • the authentication request processing part 208 acquires the user's identification information (i.e. service-specific user ID) for the service providing server 2 and the attribute information from the response message to the information acquisition message.
  • the session management part 206 generates a new session ID, and stores a pair of the identification information (user ID) in question and the session ID in the session information table 202a stored in the session information storage area 202.
  • the service providing part 205 provides the service to the terminal device 1 (S65).
  • the service providing part 205 can use the user's identification information (service-specific user ID) and the attribute information acquired in the step S64.
  • the session management part 308 examines whether the session information table 302a stored in the session information storage area 302 has a record corresponding to the session ID ascertained in the step S71, in order to judge whether the session is valid or not.
  • the session management part 308 judges that the session is valid (Yes in S72), and the processing proceeds to the step S76. If the session management part 308 cannot acquire a destination ID associated with the session ID included in the user authentication request message from the session information table 302a, then the session management part 308 judges that the session is invalid (No in S72), and the processing proceeds to the step S73.
  • the authentication execution part 307 may perform user authentication by transmitting a random number sequence to the terminal device 1 and by using the digital certificate (public key) of the terminal device 1 stored in the user attribute storage area 303 to verify that information returned from the terminal device 1 has been calculated by a secret key held by the terminal device 1.
  • the authentication execution part 307 examines whether the authentication processing in the step S73 has resulted in successful authentication or not (S74). If the authentication is successful (Yes in the step S74), then the processing proceeds to the step S75. If the authentication has failed (No in the step S74), the processing proceeds to the step S77.
  • the session management part 309 In the step S75, the session management part 309 generates a new session ID, and stores a pair of the user ID acquired as a result of the authentication in the step S73 and the generated session ID in the session information table 302a stored in the session information storage area 302 (S75).
  • the authentication result generation part 308 generates an authentication result message showing the user's authentication has been successful, and transmits indirectly via the terminal device 1 the generated authentication result message to the service providing server 2 as the source of the user authentication request message.
  • the transmitted authentication result message stores, as a user ID, a destination ID associated with the session ID.
  • the authentication result message includes the attribute information managed by the authentication server 3, of the user identified by the user ID.
  • the terminal device 1 may be notified to the terminal device 1 before execution of the authentication (i.e. before S73) or before transmitting the authentication result (i.e. before S76) that transmission of an authentication result will be notified to the service providing server 2.
  • the service using part 106 of the terminal device 1 receives a service use request directed to a service providing server 2 from the user through the input part 115 (Yes in S80), then the service request generation part 107 generates a service request message specifying the user ID, and the service communication part 108 transmits the generated service request message to the service providing server 2 through the transmitting/receiving part 117 and the network 6 (S81) and awaits a response (S82).
  • the service request message may include an ID of an authentication intermediary server 4 that the user wants to use.
  • step S82 If the response message acquired in the step S82 is not an information acquisition message (No in S83), then the processing proceeds to the step S89. On the other hand, if the response message is an information acquisition message (Yes in S83), then the processing proceeds to the step S84.
  • the service communication part 108 transfers the response message to the service providing server (S86).
  • the service communication part 108 ends the processing. If the response message is not an error message (No in S87), the service communication part 108 awaits a response to the message transferred in the step S86 (S88).
  • the service communication part 108 examines whether the response message is an authentication request message to be transmitted to the authentication server 3.
  • the service providing server 2 and the authentication server 3 can communicate with one another by using HTTP or HTTPS as in the case of SAML Web SSO Profile described in Document 2 or OpenID Authentication described in Document 3, then by using the function of HTTP redirect a HTTP request may only be transmitted to a URL indicated by the Location header in the response message without judging whether the response message is an authentication request message.
  • it is considered that whether the response message is an authentication request message or not is equivalent to whether the URL indicated by the Location header is equal to the URL of the authentication server or not.
  • the service from the service providing server 2 is enjoyed (S90). If the information (service-specific user ID and attribute information) required in receiving the service from the service providing server 2 is previously registered in the authentication intermediary server 4, it is possible to arrange that additional acquisition of the information is not requested at the time of receiving the service.
  • the response message is an authentication request message (Yes in S89)
  • the response message i.e. the authentication request message
  • the authentication server 3 (S91).
  • the authentication processing part 109 performs the corresponding authentication processing by suitably using the input part 115 and the output part 116 (S92). For example, when a pair of the user ID and the password is requested by the authentication server 3, then the authentication processing part 109 requests the user to input a pair of the user ID and the password, and transmits the acquired pair of the user ID and the password to the authentication server 3 through the transmitting/receiving part 117 and the network 6.
  • the authentication processing part 109 judges whether the authentication processing in the step S92 is successful or not (S93). If the authentication processing is not successful (No in S93), i.e. if the user's identity cannot be proved to the authentication server 3, then the service using part 106 displays on the output part 116 an error message indicating to the user that the authentication has failed (S94), and ends the processing without enjoying the service.
  • the authentication processing part 109 transfers the authentication result message which is returned as the response from the authentication server 3, to the service providing server 2 (S96). And the processing returns to the step S82, to repeat the processing.
  • the user information acquisition part 415 transmits a user information acquisition request specifying the user ID acquired in the step S101 to the presence server 5 through the transmitting/receiving part 211 and the network 6, to acquire the presence information of the user identified by the user ID from the presence server 5 (S102). If a server that manages user's information similar to the presence exists on the network 6, the user information may be acquired from that server.
  • the authentication server selecting part 413 updates the authentication level information table 405a in the authentication level information storage area 405. That is to say, the authentication server selecting part 413: searches the authentication level information table 405a by using as a key the user ID acquired in the step S101, to acquire the authentication level of the record specified by the user ID; searches the provided authentication strength information table 406a stored in the provided authentication strength information storage area 406 by using as a key the providing URI ascertained in the step S105, to acquire the authentication strength of the authentication scheme provided at the providing URI; refers to the definition in the authentication level definition information table 407a stored in the authentication level definition information storage area 407 to specify the new authentication level; and updates the authentication level field 405c corresponding to the user ID acquired in the step S101 in the authentication level information table 405a.
  • the identity conversion part 416 updates the attribute information table 409a stored in the attribute information storage area 409 (S108). That is to say, the identity conversion part 416 searches the attribute information table 409a by using as a key the user ID acquired in the step S101, and stores, as the attribute value of the user specified by the user ID, the attribute value included in the information acquisition request message acquired in the step S100.
  • the authentication server selecting part 413 selects only authentication servers whose value of the service providing server ID condition includes the service providing server ID of the service providing server 2 as the source of the information acquisition request message, and deletes the others from the group of candidates. If the value of the service providing server ID condition is "*", all the authentication servers in the group of candidates are left as the candidates.
  • the authentication server selecting part 413 examines whether a candidate for an authentication server to be used is remaining in the group of candidates (S113). If no candidate remains (No in the step S 113), the processing proceeds to the step S 114. If there is a remaining candidate (Yes in the step S 113), the processing proceeds to the step S 115.
  • the authentication server selecting part 413 selects candidates that have the highest priority among the authentication servers 3 remaining in the group of candidates.
  • the best authentication server 3 is selected dynamically based on the user's policy, the supported authentication scheme and requested attributed information of the service providing server 2, and the user's presence information, to be used for authentication.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Information Transfer Between Computers (AREA)
EP09014702A 2008-11-26 2009-11-25 Authentication intermediary server and programs therefor Withdrawn EP2194482A1 (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
JP2008301659A JP5153591B2 (ja) 2008-11-26 2008-11-26 認証仲介サーバ、プログラム、認証システム及び選択方法

Publications (1)

Publication Number Publication Date
EP2194482A1 true EP2194482A1 (en) 2010-06-09

Family

ID=42035784

Family Applications (1)

Application Number Title Priority Date Filing Date
EP09014702A Withdrawn EP2194482A1 (en) 2008-11-26 2009-11-25 Authentication intermediary server and programs therefor

Country Status (4)

Country Link
US (1) US20100138899A1 (ja)
EP (1) EP2194482A1 (ja)
JP (1) JP5153591B2 (ja)
CN (1) CN101741840A (ja)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2490396A1 (en) * 2011-02-15 2012-08-22 Canon Kabushiki Kaisha Information processing system, method for controlling information processing system, and program
EP2770689A1 (en) * 2013-02-20 2014-08-27 ALAXALA Networks Corporation Authentication method, transfer apparatus, and authentication server
EP2624501A4 (en) * 2010-10-26 2015-12-09 Zte Corp AUTHENTICATION ROUTING SYSTEM, METHOD AND AUTHENTICATION ROUTER FOR A CLOUD COMPUTING SERVICE
WO2016022057A1 (en) * 2014-08-08 2016-02-11 Identitrade Ab Method and system for authenticating a user
EP3493463A1 (en) * 2017-11-30 2019-06-05 Canon Kabushiki Kaisha System and control method therefor
WO2021146164A1 (en) * 2020-01-14 2021-07-22 Cisco Technology, Inc. Wireless lan (wlan) public identity federation trust architecture

Families Citing this family (44)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090249078A1 (en) * 2008-03-28 2009-10-01 Electronics And Telecommunications Research Institute Open id authentication method using identity selector
US8844040B2 (en) * 2009-03-20 2014-09-23 Citrix Systems, Inc. Systems and methods for using end point auditing in connection with traffic management
US8707418B2 (en) * 2009-11-06 2014-04-22 Telefonaktiebolaget L M Ericsson (Publ) System and methods for web-application communication
JP5389702B2 (ja) 2010-03-12 2014-01-15 株式会社日立製作所 Idブリッジサービスシステム及びその方法
US8671187B1 (en) 2010-07-27 2014-03-11 Aerohive Networks, Inc. Client-independent network supervision application
JP5418681B2 (ja) 2010-08-06 2014-02-19 富士通株式会社 仲介処理方法、仲介装置及びシステム
JP4892093B1 (ja) * 2010-11-09 2012-03-07 株式会社東芝 認証連携システム及びidプロバイダ装置
JP5630245B2 (ja) * 2010-11-30 2014-11-26 日本電気株式会社 認定情報検証装置及び認定情報検証プログラム並びに認定情報検証システム及び認定情報検証方法
CN102098308B (zh) * 2011-02-18 2014-07-23 杭州华三通信技术有限公司 一种Portal认证的方法和设备
US8776234B2 (en) * 2011-04-20 2014-07-08 Kaspersky Lab, Zao System and method for dynamic generation of anti-virus databases
JP5433647B2 (ja) * 2011-07-29 2014-03-05 日本電信電話株式会社 ユーザ認証システム、方法、プログラムおよび装置
WO2013046336A1 (ja) * 2011-09-27 2013-04-04 株式会社野村総合研究所 グループ定義管理システム
JP2013073416A (ja) * 2011-09-28 2013-04-22 Hitachi Ltd 認証中継装置、認証中継システム及び認証中継方法
JP5197843B1 (ja) * 2011-12-27 2013-05-15 株式会社東芝 認証連携システムおよびidプロバイダ装置
JP5626919B2 (ja) * 2012-02-29 2014-11-19 Necソリューションイノベータ株式会社 ネットワークシステム、認証連携装置、認証連携方法、及びプログラム
DE13771854T1 (de) * 2012-04-01 2015-12-03 Authentify, Inc. Sichere Authentifizierung in einem Mehrparteiensystem
JP2013257625A (ja) * 2012-06-11 2013-12-26 Nippon Telegr & Teleph Corp <Ntt> 認証要求変換装置および認証要求変換方法
EP2677715A1 (en) * 2012-06-22 2013-12-25 Alcatel Lucent A method and a server for evaluating a request for access to content from a server in a computer network
US9948626B2 (en) * 2013-03-15 2018-04-17 Aerohive Networks, Inc. Split authentication network systems and methods
US9690676B2 (en) 2013-03-15 2017-06-27 Aerohive Networks, Inc. Assigning network device subnets to perform network activities using network device information
JP5662507B2 (ja) * 2013-03-28 2015-01-28 株式会社 ディー・エヌ・エー 認証方法、認証システム、および、サービス提供サーバ
JP5760037B2 (ja) * 2013-05-17 2015-08-05 日本電信電話株式会社 ユーザ認証装置、方法及びプログラム
US9152782B2 (en) 2013-12-13 2015-10-06 Aerohive Networks, Inc. Systems and methods for user-based network onboarding
CN103701891A (zh) * 2013-12-20 2014-04-02 贝壳网际(北京)安全技术有限公司 跨终端下载的方法、系统、服务器、移动终端和固定终端
GB2524010A (en) * 2014-03-10 2015-09-16 Ibm User authentication
JP5793593B2 (ja) * 2014-03-13 2015-10-14 キーパスコ アーベーKeypasco AB ユーザ識別情報を安全に検証するためのネットワーク認証方法
US9832252B2 (en) * 2014-03-27 2017-11-28 Genband Us Llc Systems, methods, and computer program products for third party authentication in communication services
JP6258111B2 (ja) * 2014-04-15 2018-01-10 日本電信電話株式会社 認証システム及び認証方法
JP6215134B2 (ja) * 2014-05-14 2017-10-18 日本電信電話株式会社 認証システム、認証方法、認証装置及び認証プログラム
SE538485C2 (en) * 2014-08-08 2016-08-02 Identitrade Ab Method and system for authenticating a user
US9591049B2 (en) 2014-09-16 2017-03-07 Inemsoft, Inc. Systems and methods of managing communication endpoints
JP6459398B2 (ja) * 2014-10-30 2019-01-30 株式会社リコー 情報処理システム、情報処理装置、アクセス制御方法及びプログラム
WO2016081609A1 (en) * 2014-11-19 2016-05-26 Eyelock Llc Model-based prediction of an optimal convenience metric for authorizing transactions
JP6250595B2 (ja) * 2015-07-01 2017-12-20 e−Janネットワークス株式会社 通信システム及びプログラム
JP6672964B2 (ja) * 2016-03-31 2020-03-25 ブラザー工業株式会社 仲介サーバ
US10140443B2 (en) * 2016-04-13 2018-11-27 Vmware, Inc. Authentication source selection
CN106453278B (zh) * 2016-09-23 2019-04-30 财付通支付科技有限公司 信息验证方法及验证平台
GB2561822B (en) * 2017-04-13 2020-02-19 Arm Ip Ltd Reduced bandwidth handshake communication
US10708268B2 (en) * 2017-07-31 2020-07-07 Airwatch, Llc Managing voice applications within a digital workspace
CN109600337B (zh) * 2017-09-30 2020-12-15 腾讯科技(深圳)有限公司 资源处理方法、装置、系统及计算机可读介质
US11658995B1 (en) 2018-03-20 2023-05-23 F5, Inc. Methods for dynamically mitigating network attacks and devices thereof
CN110032860B (zh) * 2018-12-27 2020-07-28 阿里巴巴集团控股有限公司 登录方式的推送、展示方法、装置及设备
CN114424170A (zh) * 2019-09-25 2022-04-29 日本电气株式会社 操作管理设备、系统、方法和存储有程序的非暂时性计算机可读介质
US10892892B1 (en) * 2020-05-01 2021-01-12 Volterra, Inc. Method and apparatus for end-to-end secure sharing of information with multiple recipients without maintaining a key directory

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1104133A1 (en) * 1999-11-29 2001-05-30 BRITISH TELECOMMUNICATIONS public limited company Network access arrangement
WO2003069531A1 (en) * 2002-02-11 2003-08-21 Total System Services, Inc. System and method for single event authorization control of transactions
US20030177356A1 (en) * 2002-03-15 2003-09-18 Noel Abela Method and system for internationally providing trusted universal identification over a global communications network
WO2004081750A2 (en) * 2003-03-11 2004-09-23 Innovatrend, Inc. Verified personal information database
WO2004114226A1 (de) * 2003-06-24 2004-12-29 T-Cos Arbeitszeiterfassungssystem sowie verfahren zur arbeitszeiterfassung
US20050228675A1 (en) * 2004-03-18 2005-10-13 Marian Trinkel Method and system for person/speaker verification via communications systems
EP1613017A1 (en) * 2004-06-28 2006-01-04 NTT DoCoMo, Inc. Authentication method, terminal device, relay device, and authentication server

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6085085A (en) * 1996-03-27 2000-07-04 Qualcomm Incorporated Method and apparatus for performing preferred system selection
US7617317B2 (en) * 2001-12-03 2009-11-10 Sprint Spectrum L.P. Method and system for allowing multiple service providers to serve users via a common access network
US20040002878A1 (en) * 2002-06-28 2004-01-01 International Business Machines Corporation Method and system for user-determined authentication in a federated environment
JP2004342088A (ja) * 2003-04-21 2004-12-02 Sony Corp 端末機器認証システム、端末機器、第1の振り分けサーバ、振り分けシステム、サービスサーバ、第2の振り分けサーバ、端末機器方法、第1の振り分け方法、振り分け方法、サービス提供方法、サービスサーバ方法、第1の振り分け方法、第2の振り分け方法、端末機器プログラム、第1の振り分けプログラム、振り分けプログラム、サービスサーバプログラム、第2の振り分けプログラム、及び記憶媒体
JP4813167B2 (ja) * 2005-12-07 2011-11-09 シャープ株式会社 サービス管理装置、サービス管理システム、プログラムおよび記録媒体
JP4913457B2 (ja) * 2006-03-24 2012-04-11 株式会社野村総合研究所 認証強度の異なるサーバに対応した連携型認証方法及びシステム
JP4849962B2 (ja) * 2006-06-06 2012-01-11 株式会社リコー 画像処理装置、認証サーバ選択方法及びプログラム
JP2008117326A (ja) * 2006-11-08 2008-05-22 Fuji Xerox Co Ltd サービス利用認可システム、コンテンツ利用認可システム、サービス利用認可プログラム、コンテンツ利用認可プログラムおよびサービス利用認可方法

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1104133A1 (en) * 1999-11-29 2001-05-30 BRITISH TELECOMMUNICATIONS public limited company Network access arrangement
WO2003069531A1 (en) * 2002-02-11 2003-08-21 Total System Services, Inc. System and method for single event authorization control of transactions
US20030177356A1 (en) * 2002-03-15 2003-09-18 Noel Abela Method and system for internationally providing trusted universal identification over a global communications network
WO2004081750A2 (en) * 2003-03-11 2004-09-23 Innovatrend, Inc. Verified personal information database
WO2004114226A1 (de) * 2003-06-24 2004-12-29 T-Cos Arbeitszeiterfassungssystem sowie verfahren zur arbeitszeiterfassung
US20050228675A1 (en) * 2004-03-18 2005-10-13 Marian Trinkel Method and system for person/speaker verification via communications systems
EP1613017A1 (en) * 2004-06-28 2006-01-04 NTT DoCoMo, Inc. Authentication method, terminal device, relay device, and authentication server

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
CHAUM D: "SECURITY WITHOUT IDENTIFICATION: TRANSACTION SYSTEMS TO MAKE BIG BROTHER OBSOLETE", COMMUNICATIONS OF THE ASSOCIATION FOR COMPUTING MACHINERY, ACM, NEW YORK, NY, US LNKD- DOI:10.1145/4372.4373, vol. 28, no. 10, 1 October 1985 (1985-10-01), pages 1030 - 1044, XP002000086, ISSN: 0001-0782 *

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2624501A4 (en) * 2010-10-26 2015-12-09 Zte Corp AUTHENTICATION ROUTING SYSTEM, METHOD AND AUTHENTICATION ROUTER FOR A CLOUD COMPUTING SERVICE
EP2490396A1 (en) * 2011-02-15 2012-08-22 Canon Kabushiki Kaisha Information processing system, method for controlling information processing system, and program
US8938789B2 (en) 2011-02-15 2015-01-20 Canon Kabushiki Kaisha Information processing system, method for controlling information processing system, and storage medium
EP2770689A1 (en) * 2013-02-20 2014-08-27 ALAXALA Networks Corporation Authentication method, transfer apparatus, and authentication server
US9258305B2 (en) 2013-02-20 2016-02-09 Alaxala Networks Corporation Authentication method, transfer apparatus, and authentication server
EP3178195A4 (en) * 2014-08-08 2017-07-19 Identitrade AB Method and system for authenticating a user
WO2016022057A1 (en) * 2014-08-08 2016-02-11 Identitrade Ab Method and system for authenticating a user
US10212154B2 (en) 2014-08-08 2019-02-19 Identitrade Ab Method and system for authenticating a user
EP3493463A1 (en) * 2017-11-30 2019-06-05 Canon Kabushiki Kaisha System and control method therefor
US11044245B2 (en) 2017-11-30 2021-06-22 Canon Kabushiki Kaisha System and control method therefor
WO2021146164A1 (en) * 2020-01-14 2021-07-22 Cisco Technology, Inc. Wireless lan (wlan) public identity federation trust architecture
US11258779B2 (en) 2020-01-14 2022-02-22 Cisco Technology, Inc. Wireless LAN (WLAN) public identity federation trust architecture
US11765153B2 (en) 2020-01-14 2023-09-19 Cisco Technology, Inc. Wireless LAN (WLAN) public identity federation trust architecture

Also Published As

Publication number Publication date
US20100138899A1 (en) 2010-06-03
JP2010128719A (ja) 2010-06-10
CN101741840A (zh) 2010-06-16
JP5153591B2 (ja) 2013-02-27

Similar Documents

Publication Publication Date Title
EP2194482A1 (en) Authentication intermediary server and programs therefor
Groß Security analysis of the SAML single sign-on browser/artifact profile
US8326981B2 (en) Method and system for providing secure access to private networks
CN101341492B (zh) 提供和接收身份相关的信息的方法和系统
RU2332711C2 (ru) ЗАЩИЩЕННАЯ ОБРАБОТКА МАНДАТА КЛИЕНТСКОЙ СИСТЕМЫ ДЛЯ ДОСТУПА К РЕСУРСАМ НА ОСНОВЕ Web
US7191467B1 (en) Method and system of integrating third party authentication into internet browser code
JP4701238B2 (ja) 双方向通信経路を介した鍵合意および鍵の再生成
US8819253B2 (en) Network message generation for automated authentication
KR100613316B1 (ko) 단일 사용 승인을 사용하는 신원 관리 시스템
CN100534092C (zh) 用于执行认证操作的方法及其装置
US8220032B2 (en) Methods, devices, and computer program products for discovering authentication servers and establishing trust relationships therewith
US8489736B2 (en) Mediation device, mediation method and mediation system
US20030065956A1 (en) Challenge-response data communication protocol
JP4467256B2 (ja) 代理認証プログラム、代理認証方法、および代理認証装置
US20080072053A1 (en) Web-based authentication system and method
JP2005538434A (ja) 連携型(フェデレーテッド)環境におけるユーザ判定による認証のための方法およびシステム
US20050021957A1 (en) Authentication method in wire/wireless communication system using markup language
TW201141176A (en) Method and apparatus for providing trusted single sing-on access to applications and internet-based services
WO2011110539A9 (en) System and method for using a portable security device to cryptographically sign a document in response to signature requests from a relying party to a digital signature service
JP4960738B2 (ja) 認証システム、認証方法および認証プログラム
JP3593979B2 (ja) 利用権制御を伴うサーバおよびクライアントならびにサービス提供方法および利用権証明方法
JP4824986B2 (ja) 認証システム、認証方法および認証プログラム
US20080307500A1 (en) User identity management for accessing services
JP4914725B2 (ja) 認証システム、認証プログラム
JP5434441B2 (ja) 認証id管理システム及び認証id管理方法

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20100331

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO SE SI SK SM TR

AX Request for extension of the european patent

Extension state: AL BA RS

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN WITHDRAWN

18W Application withdrawn

Effective date: 20131209

REG Reference to a national code

Ref country code: DE

Ref legal event code: R079

Free format text: PREVIOUS MAIN CLASS: G06F0021200000

Ipc: G06F0021000000

REG Reference to a national code

Ref country code: DE

Ref legal event code: R079

Free format text: PREVIOUS MAIN CLASS: G06F0021200000

Ipc: G06F0021000000

Effective date: 20140526